Webmin / Virtualmin / Usermin Uses Wrong / Incorrect / Outdated SSL Certificates

»»»Webmin / Virtualmin / Usermin Uses Wrong / Incorrect / Outdated SSL Certificates

Webmin and its modules or user interfaces, Virtualmin, Usermin and Cloudmin, supports usage of SSL certificate for HTTPS access to the administration control panel UI in order to fence off network sniffing attack that could capture your user name and password login credentials on unprotected network traffic.

Webmin uses MiniServ, a ultra-lightweight and minimalistic web server written in C, as its web server for its web applications, and not the Apache HTTPD server or NGINX web server that is installed by Virtualmin for virtual servers (websites) use.

MiniServ supports usage of SSL. In fact, Webmin enables SSL by default if the OpenSSL library and Net::SSLeay Perl module are installed on the system, by using self-signed certificate to support SSL encrypted communication between the server and web browser. Webmin’s MiniServ supports and has GUI to generate, install and use a valid SSL certificate issued and signed by a certificate authority (CA) too, such as the free Let’s Encrypt SSL cert.

When using a SSL certificate for Webmin, sometimes the new SSL certificate installed (either directly via Webmin Configuration -> SSL Encryption or by copying to Webmin or Usermin via Manage SSL Certification module of Virtual Server’s configuration) may not be recognized and used by MiniServ, even though in the “Webmin Configuration” -> “SSL Encryption”, the current certificate listed is the correct SSL cert that you want to Webmin to use. For example, you installed a valid Let’s Encrypt SSL certificate, and Webmin indicates that the current certificate is signed and issued by Let’s Encrypt Authority X3 for correct domain name, but when browsing Webmin, Virtualmin, Usermin or Cloudmin, the web browser prompts the site is not secure and your connection is not private nor secure, either, as Webmin is still using the old or previously installed SSL certificate such as self-signed wildcard certificate or invalid SSL cert with wrong host name or expired SSL cert.

To make the matter worse, the valid and correct SSL certificate is installed at the directory path indicated by Webmin Configuration, i.e., /etc/webmin/, with correct permissions. If you set up a new SSL certificate, Webmin will install it correctly and the new cert will show up as the current certificate, but Webmin still provides the previous old outdated SSL certification to the web browser.

The wrong SSL certificate issue happens only to Webmin, Virtualmin, Usermin and/or Cloudmin, but not on SSL certificates that are installed on virtual servers for HTTPS SSL secure websites. In fact, Webmin may stubbornly uses the SSL certificate that is added to one of the virtual server for itself, causing the invalid SSL certificate error due to wrong domain name.

The error happens because of wrong or incorrect configuration of MiniServ web server used by Webmin. Inside the miniserv.conf config file (located in /etc/webmin/ directory), the current SSL certificate and private key file used by Webmin and Usermin are defined as follow:

userfile=/etc/webmin/miniserv.users
keyfile=/etc/webmin/letsencrypt-key.pem

While the paths to the SSL public certificates and private keys for domains managed by Virtualmin and Webmin are defined in the lines similar to the following:

ipcert_domain.com,.subdomain.domain.com=/home/domain/domains/ssl.cert
ipkey_domain.com,.subdomain.domain.com=/home/domain/ssl.key

The purpose of the MiniServ to have domain-specific SSL certificate defined is to allow Webmin and Usermin to serve the correct SSL cert for a particular domain based on the domain being accessed.

However, any wrong configuration may cause Webmin and/or Usermin to send wrong SSL certificate instead. If there is domain-specific SSL setup matches the domain name which you’re using to access the Webmin, Virtualmin, Usermin or Cloudmin, it will be used instead, even though the SSL certificate is not signed and issued to FQDN of Webmin.

For example, you access Webmin via hostname.domain.com, while the miniserv.conf contains ipcert and ipkey which includes a wildcard (*.domain.com), and this entry will take precedence over the userfile and keyfile preferences.

To resolve the issue, identify the conflict or error which causes Webmin to use invalid or outdated SSL certificate, and then modify the entries so that Webmin’s FQDN does not match with domains specified by ipkey and ipcert, and that userfile and keyfile values point to valid SSL certificate and key that you want to use.

Once the change is made, restart the Webmin for the change to take effect:

# /etc/init.d/webmin restart
Note
If you set up a virtual server that has a same hostname as Webmin / Virtualmin, you need to create SSL certificate for the hostname’s FQDN used by Webmin / Virtualmin via Server “Configuration” -> “Manage SSL Certificate”. Creating or configuration SSL certificate, including Let’s Encrypt, from Webmin Configuration may not be working, e.g. Webmin continues to use old SSL cert.

By |2018-09-20T23:19:06+00:00September 20th, 2018|Categories: Web Servers|0 Comments

About the Author:

LK is a technology writer for Tech Journey with background of system and network administrator. He has be documenting his experiences in digital and technology world for over 15 years.Connect with LK through Tech Journey on Facebook, Twitter or Google+.